CVE-2021-24174

Database Backups <= 1.2.2.6 - CSRF to Backup Download

EPSS 3.2%CWE-352

In short

The Database Backups WordPress plugin fails to protect against CSRF attacks, allowing attackers to trick logged-in users into performing unwanted actions like creating backups, changing settings, or deleting backups without their knowledge.

Technical detail

CWE-352 CSRF vulnerability in Database Backups plugin ≤1.2.2.6 lacks token validation on state-changing operations. An attacker can craft malicious requests (GET/POST) that execute backup generation, configuration modification, or deletion when a logged-in administrator visits a compromised page, requiring no additional authentication.

Summary generated and translated by AI from the official description.

The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups.

Affected products

Unknown · Database Backups

public PoCs found — 2

cve_referencepacketstormsecurity.com/files/163091/WordPress-Database-Backups-1.2.2.6-Cross-Site-Request-Forgery.htmlunverified exploitdbwww.exploit-db.com/exploits/49984unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/163091/WordPress-Database-Backups-1.2.2.6-Cross-Site-Request-Forgery.html https://wpscan.com/vulnerability/350c3e9a-bcc2-486a-90e6-d1dc13ce1bd5